LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-02-2012, 03:51 PM   #1
pauloedusp
LQ Newbie
 
Registered: Apr 2012
Posts: 12

Rep: Reputation: Disabled
Question OpenLdap + RH 5.7 64 bts


Messrs.
I need your help to open my mind in order to resolve some outstanding issues I have a red hat server 5.7 and want to install open ldap to centralize access to servers.
However my doubt is not the installation is on how I can separate access eg
the dba can only access the database servers
The network staff can only access the servers related to networks
Production personnel can only access the machine backup
Finally how can I coocar access rules in ldap
groups would be possible? or should separate this in sshd_conf in / etc / ssh
would have some geito easier to configure this in ldap?
or I would have to use the ACL settings?
Would anyone have any ideas?
 
Old 07-02-2012, 04:01 PM   #2
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,566

Rep: Reputation: 411Reputation: 411Reputation: 411Reputation: 411Reputation: 411
We use ldap and simply use the built-in permissions for access. Anyone can log-on to pretty much any machine in the network but they are limited to their user rights and sudo'ers setup. So there are quite a few boxes that our oracle DBAs can log into but can't do anything outside of the home directory.

If you really want to get into this level of access control I have heard of solutions like centrify working really well for enterprise systems and you may want to give one of those types of products an evaluation run to see if it's something that you're looking for.

Typically LDAP is used with ACL and OS based permissions but maybe someone else out there has some insight.

Heres some stuff I found that might help:

http://www.gentoo.org/doc/en/ldap-howto.xml
http://www.yolinux.com/TUTORIALS/Lin...XLDAPTUTORIALS
 
1 members found this post helpful.
Old 07-10-2012, 09:59 AM   #3
pauloedusp
LQ Newbie
 
Registered: Apr 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Kustom42

Thanks for the tip of the Centrify he entered the plans for future impantado however I need a simple solution at this time
I'm installing only the ldap I'm just showing integrating the tools available such as Centrify but first I'm puzzling over this ldap server 2.4.23 in Red Hat 6.2 64-bit
I'll post all and end confiburaçoes put my hard ok

1_) ldap packages installed:

[Root @ xxxx openldap] # rpm-qa | grep-i ^ openl
openldap-4.2.23-20.el6.x86_64
openldap-servers-2.4.23-20.el6.x86_64
openldap-clients-2.4.23-20.el6.x86_64
openldap-devel-2.4.23-20.el6.x86_64

2_) permissions of the directory / etc / openldap:

[Root @ xxxx openldap] # ls-l / etc / openldap

-rw-rw---- 1 ldap ldap 845 Jul 9 16:07 DB_CONFIG.example
-rw-rw---- 1 ldap ldap 272 Jul 10 16:02 ldap.conf
-rw-rw---- 1 ldap ldap 245 Jul 9 16:07 ldap.conf.default
-rw-rw---- 1 ldap ldap 2291 Jul 9 17:50 olcDatabase={2}bdb.ldif.original
drw-rw---- 2 ldap ldap 4096 Jul 9 17:25 schema
-rw-r--r-- 1 ldap ldap 2491 Jul 10 16:49 slapd.conf
-rw-r--r-- 1 ldap ldap 2491 Jul 10 16:49 slapd.conf.bak
-rw-r----- 1 ldap ldap 3419 Jul 10 16:23 slapd.conf.bak-ori
-rw-rw---- 1 ldap ldap 2092 Jul 9 16:07 slapd.conf.default
drw-rw---- 3 ldap ldap 4096 Jul 10 16:53 slapd.d
-rw-r--r-- 1 ldap ldap 1470 Jul 10 16:48 slapd.ldif
-rw-rw---- 1 ldap ldap 2577 Jul 9 16:07 slapd.ldif.default

3_) More in slapd.conf

[Root @ xxxx openldap] # more slapd.conf

#
###### SAMPLE 1 - SIMPLE DIRECTORY ############
#
# NOTES: inetorgperson picks up attributes and objectclasses
# from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema


# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write

# NO REFERRALS

# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid

# enable a lot of logging - we might need it
# but generates huge logs
loglevel -1

# MODULELOAD definitions
# not required (comment out) before version 2.3
moduleload back_bdb.la

# NO TLS-enabled connections

# backend definition not required

#######################################################################
# bdb database definitions
#
# replace example and com below with a suitable domain
#
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################

database bdb
suffix "dc=energia,dc=org,dc=br"

# root or superuser
rootdn "cn=manager,dc=energia,dc=org,dc=br"
rootpw {SSHA}nqOy2+SMCkZOl/6/CUmPhlWjwy2FJ7EH
# The database directory MUST exist prior to running slapd AND
# change path as necessary
directory /var/lib/ldap

# Indices to maintain for this directory
# unique id so equality match only
index uid eq
# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber

# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15

# before the first database definition
database config
# # NOTE: the suffix is hardcoded as cn=config and
# # MUST not have a suffix directive
# # normal rules apply - rootdn can be anything you want
# # but MUST be under cn=config
rootdn "cn=admin,cn=config"
# # use any of the supported password formats e.g. {SSHA} etc
# # or plaintext as shown
rootpw "cn=admin,cn=config"

4_) More slapd.ldif
## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## replace example and com as necessary below
## or for experimentation leave as is

## dcObject is an AUXILLIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
# this is an ENTRY sequence and is preceded by a BLANK line

dn: dc=energia,dc=org,dc=br
dc: energia
description: My wonderful company as much text as you want to place
in this line up to 32K continuation data for the line above must
have <CR> or <CR><LF> i.e. ENTER works
on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: Energia, Inc.

## FIRST Level hierarchy - people
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line

dn: ou=people,dc=energia,dc=org,dc=br
ou: people
description: All people in organisation
objectclass: organizationalunit

## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name

dn: cn=Robert Smith,ou=people,dc=energia,dc=org,dc=br
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: r.smith@example.com
mail: rsmith@example.com
mail: bob.smith@example.com
description: swell guy
ou: Human Resources

5_) Creating the database

[root @ xxxx openldap] slapadd -f slapd.conf -l slapd.ldif -F /var/lib/ldap
4ffc87c3 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
_#################### 100.00% eta none elapsed none fast!
Closing DB...

6_) permissions of the directory / var / lib / ldap

[root @ xxxx openldap] # ls-l / var / lib / ldap

-rw-r--r-- 1 ldap ldap * * *2048 Jul 10 17:13 alock
-rw------- 1 ldap ldap * * *8192 Jul 10 16:51 cn.bdb
-rw------- 1 ldap ldap * * 24576 Jul 10 17:13 __db.001
-rw------- 1 ldap ldap * 4702208 Jul 10 17:13 __db.002
-rw------- 1 ldap ldap 125124608 Jul 10 17:13 __db.003
-rw------- 1 ldap ldap * * 98304 Jul 10 17:13 __db.004
-rw------- 1 ldap ldap * 1179648 Jul 10 17:13 __db.005
-rw------- 1 ldap ldap * * 32768 Jul 10 17:13 __db.006
-rw-rw-r-- 1 ldap ldap * * * *98 Jul *9 18:39 DB_CONFIG
-rw------- 1 ldap ldap * * *8192 Jul 10 16:51 dn2id.bdb
-rw------- 1 ldap ldap * * 32768 Jul 10 16:51 id2entry.bdb
-rw------- 1 ldap ldap *10485760 Jul 10 17:13 log.0000000001
-rw------- 1 ldap ldap * * *8192 Jul 10 16:51 mail.bdb
-rw------- 1 ldap ldap * * *8192 Jul 10 16:51 ou.bdb
-rw------- 1 ldap ldap * * *8192 Jul 10 16:51 sn.bdb
-rw------- 1 ldap ldap * * *8192 Jul 10 16:51 uid.bdb

7_) More file DB_Conf

[root @ xxxx openldap] # more / var / lib / ldap / DB_CONFIG

set_cachesize 0 100097152 0
set_lk_max_objects 1500
set_lk_max_locks 1500
set_lk_max_lockers 1500

8_) import file slapd.conf

slaptest-f / etc / openldap / slapd.conf-F / etc / openldap / slapd.d /
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded

9_) Error up the service:

[root @ xxx ldap] # / etc / init.d / slapd start
Checking configuration files for slapd: [FAILED]
ldif_read_file: Permission denied for "/ etc / openldap / slapd.d / cn = config.ldif"
slaptest: bad configuration file!

10_) Permit File / cn = config.ldif

drwx ------ 3 ldap ldap 4096 Jul 9 18:55 cn = config
-rw ------- 1 ldap ldap 886 Jul 9 17:39 cn = config.ldif

11_) Test.

[root @ xxx openldap]# slapd -d -1 -f /etc/openldap/slapd.d/cn\=config -u ldap
@(#) $OpenLDAP: slapd 2.4.23 (Oct 4 2011 07:43:22) $
mockbuild@x86-010.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
ldap_pvt_gethostbyname_a: host=lxas01, r=0
daemon_init: <null>
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Berkeley DB 4.7.25: (June 4, 2010)
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Berkeley DB 4.7.25: (June 4, 2010)
null_back_initialize: initialize null backend
could not stat config file "/etc/openldap/slapd.d/cn=config": Permission denied (13)
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.


Can someone help me with this error? Someone has gone through this?

Thank you in already!!

Last edited by pauloedusp; 07-10-2012 at 03:53 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
machine 32 or 64 bts? ufmale Linux - Hardware 14 09-04-2009 06:29 PM
nss_ldap, openldap and openldap-server ... what is openldap for? chakkerz Linux - Server 2 08-13-2009 07:16 PM
LXer: OpenLDAP Quick Tips: OpenLDAP Logfile analysis LXer Syndicated Linux News 0 12-01-2008 04:00 PM
LXer: OpenLDAP Quick Tips: Regularly upgrade OpenLDAP! LXer Syndicated Linux News 0 11-25-2008 02:00 PM
LXer: OpenLDAP Quick Tips: Using syslog or syslog-ng with slapd for OpenLDAP logging LXer Syndicated Linux News 0 11-14-2008 08:41 PM


All times are GMT -5. The time now is 05:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration